[prev in list] [next in list] [prev in thread] [next in thread]
List: xmlbeans-dev
Subject: Fwd: XXE
From: Jon Gorrono <jpgorrono () ucdavis ! edu>
Date: 2013-01-31 0:40:56
Message-ID: CAHFnCW6JDQqNoC+WH7Dk0R_++BXQkq1igfKjsCbeg5jrpUBKCg () mail ! gmail ! com
[Download RAW message or body]
Hello.
I didn't get a bite on the question below posted to the user@xmlbeans
list a couple of weeks ago so I am working up the chain ;)
To restate the question, does xmlbeans use 'safe' defaults for xml
parsing features to avoid XXE and DTD operations? Both are capable of
exposing sensitive system documents and as conduit for XSS.
And/or are the setting of parsing features exposed so that users of
xmlbeans can set them?
From the department of TMI, my immediate interest is in a project that
uses POI and poi uses xmlbeans to parse ooxml documents. POI punted me
to xmlbeans.... under the assumption that they have no control over
the parsing features used by xmlbeans.
Can anyone here provide any insight?
Thanks.
Jp
---------- Forwarded message ----------
From: Jon Gorrono <jpgorrono@ucdavis.edu>
Date: Mon, Jan 14, 2013 at 6:37 PM
Subject: XXE
To: user@xmlbeans.apache.org
Hello.
There's been a lot going around lately about XML External Entity
definitions and how they (and related constructs) can be exploited in
nefarious ways.
Does xmlbeans set safe defaults for 'features' on xml processors? If
not, are the base objects accessible to developers (users of xmlbeans)
so that processing 'features' can be set?
Thanks
--
Jon Gorrono
PGP Key: 0x5434509D -
http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index}
http{middleware.ucdavis.edu}
--
Jon Gorrono
PGP Key: 0x5434509D -
http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index}
http{middleware.ucdavis.edu}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@xmlbeans.apache.org
For additional commands, e-mail: dev-help@xmlbeans.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic